The Complex

Pentagon Contractor Sent Goods Through Iran for Years

Anham, the firm with a fat, multi-billion dollar Pentagon contract to support American forces in Afghanistan, claims it only found out recently that its suppliers were making illegal shipments through Iran. But documents obtained by Foreign Policy suggest that the firm has been aware of these transfers for 18 months -- and did nothing to stop them.

The Wall Street Journal reported on Thursday that Anham FZCO, which is contracted with the Pentagon to provide food service and water to troops in Afghanistan, had shipped some materials through a third-party vendor for a warehouse it built at Bagram Air Base near Kabul. The company apparently shipped construction equipment into Iran's Bandar Abbas seaport in the Persian Gulf last year and then transported those materials across Iran. The construction of the warehouse allowed Anham to snag a Pentagon contract estimated at $8.1 billion, according to the paper -- with a $30 billion ceiling. The question now becomes: Was that contract issued to a firm that was knowingly breaking the law?

Shipping goods across Iran could be in violation of U.S. sanctions against that country. The seaport is run in part by a company called Tidewater Middle East Co., an Iranian concern that the Treasury Department told the Journal is owned by Iran's Islamic Revolutionary Guard Corps. The Guard is sanctioned for allegedly conducting international terrorism.

The Treasury Department has regulated U.S. trade with Iran since 1987, when President Reagan issued an executive order prohibiting Iranian imports. Since then, the law has been expanded with 15 years worth of executive orders and bills, including, most recently, the Iran Threat Reduction and Syria Human Rights Act passed last year. These have been consolidated and codified in the Treasury's Iranian Transactions Regulations.

According to the Treasury Department, in practice these laws ban "U.S. persons, including foreign branches of U.S. depository institutions and trading companies" from "engaging in any transactions, including purchase, sale, transportation, swap, financing, or brokering transactions related to goods or services of Iranian origin." This applies to foreign subcontractors, as well: Treasury states, "No U.S. person may approve or facilitate the entry into or performance of transactions or contracts with Iran by a foreign subsidiary of a U.S. firm that the U.S. person is precluded from performing directly."

Officials at Anham told the Journal that top company officials only became aware of the shipping issue within the last week.

But documents provided to FP seem to indicate otherwise. Company emails from as early as February 2012 discuss the shipments from Iran. Among the people included on those messages were company officials like Fadi Nahas, who FP is told is the vice president of Anham operations.

Nahas and other Anham corporate officials were on a Feb. 16, 2012 chain of emails sent by Dana Tracks, LLC, a logistics subcontractor, that describes the status of eight shipping containers leaving "BA," which stands for Bandar Abbas. "So far, his team in Iran hasn't got back to him on this as they are busy getting done with the procedures at the customs there," the email says. "According to him, moving the containers through the new route requires lots of procedures with the shipping lines and customs."

Another email on March 29 from Dana Tracks indicates there will be a delay in some shipping containers' arrival. "I regret to inform you that Royal Crown still insist [sic] that there will be no movement from [Bandar Abbas] before April 2nd due to the Iranian new year." Anham executives were copied on that message.

The emails appear to be proof that corporate executives at Anham, which signed its contract with the Defense Department in June 2012, were aware that its third-party vendor was shipping materials for its warehouse through Iran. Shipping through Iran is considered a cheaper alternative to using Pakistan, where crossings are notoriously unreliable and, in fact, were closed at the time of the shipments in question. Otherwise, ground shipping into Afghanistan might have to go through Turkmenistan, for example, which would be far more costly.

An individual familiar with the contracts told FP they believe Anham may have low-bid the contract with the Pentagon based on its ability to transfer materials through Iran to build the warehouse necessary for winning the food service and water contract.

"They got their hand caught in the cookie jar," said that individual.

Anham describes itself as a contracting company created by larger firms Arab Supply and Trading Company of Saudi Arabia, GMS Holdings of Amman, Jordan, and HII-Finance Corporation of Vienna, Va., according to the company's web site.

Anham officials insisted that the ban on shipping goods through Iran has exceptions -- although they did not outline what those exceptions might be. Sam Fabens, a company representative, told FP that the firm had voluntarily disclosed to the Treasury and Commerce Departments that some items were shipped through Iran and that it was conducting its own investigation of the matter. "Based on the current state of the investigation, Anham believes that only a handful of foreign-origin items for use in Afghanistan were involved out of our thousands of shipments to Afghanistan, all or some of which we believe may have been eligible for such trans-shipment under legal exceptions and other provisions of law in place at the time," Fabens said in a statement. "We will not comment on any specific charges or allegations until that investigation is complete nor will we be responding to rumors and innuendo," he said.

He would not address specifically the apparent discrepancy between what the company told the WSJ -- that it only discovered the Iran shipments last week -- and the emails indicating the practice had gone on since early 2012.

The Pentagon referred queries to the Defense Logistics Agency, which confirmed that Anham had notified the agency on Sept. 23 that it had already notified the Treasury and Commerce Departments about the shipments. "We have requested additional information from Anham, as well as appropriate government agencies, to confirm that Anham's actions, including its performance under its contract with DLA, remain in accordance with applicable law and regulations," said DLA spokesperson Michelle McCaskill.

ESSAM AL-SUDANI/AFP/Getty Images

The Complex

Icefog: The Hacker Crew Trying to Break Into Your Weapons

A new cyber-theft ring from Asia is committing a string of smash and grab-style attacks against suppliers to major military contractors. This isn't just any hacker crew; its targeting of defense subcontractors means it could easily undermine the integrity of the world's weapons.

This new crew, dubbed Icefog by Kaspersky Lab, is small and nimble, and it appears to know exactly what it wants to steal from its victims. Unlike some other advanced hacker outfits that linger on victims' networks for months or years after gaining access, the Icefog crew doesn't stick around waiting to get caught.

"They will infiltrate an organization. They know exactly what they are looking for, pull it out, and as soon as they complete their assignment they move on -- they actually clean things up and move on," said Kurt Baumgartner, a security researcher with Kaspersky, during a speech in Washington today.

Kaspersky researchers think the people behind Icefog are based in China, South Korea, and Japan.

Icefog attacked several hundred victims -- everything from TV stations, satellite operators, maritime logistics firms, communications businesses, defense contractors, and shipbuilders, according to Kaspersky. Most of the victims are in South Korea and Japan, but victims have been found everywhere from China to Belarus. There are also "strong suggestions that there were Western targets, including the U.S.," said Baumgartner.

The crew steals "sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim's network," reads Kaspersky's press release. "They look for specific filenames, which are quickly identified, and transferred to" Icefog.

Most alarming are the crew's attacks against smaller parts suppliers to major defense contractors. Icefog's hackers could break into the poorly defended network of a defense subcontractor and plant destructive malware inside its products before they are placed in a weapon such as a fighter jet.

This "creates a lot of problems because not only is there potential for economic espionage ... there's the chance for low-scale sabotage with destructive attacks that bring a whole new set of challenges," said Baumgartner.

One South Korean company that Icefog was interested in "provides heads-up displays for F-15s, and they provide radar jamming for F-16s" used by Seoul's air force, said Baumgartner. He would not reveal whether the firm, LIG Nex1, had actually been penetrated by Icefog.

This past July, David Shedd, deputy director of the U.S. Defense Intelligence Agency, warned that foreign intelligence agencies are trying to do exactly that to American military suppliers.

"Our adversaries are very active in trying to introduce material into the supply chain in ways that threaten our security from the standpoint of their abilities to collect [intelligence] and disrupt" U.S. military operations, said Shedd.

Making things worse is that the United States doesn't have a true understanding of how vulnerable its supply chain is to this style of attack.

"I'm generally an optimist, [but] in the supply chain area, I'm very concerned," said Shedd, given that he doesn't truly know the full extent of adversary penetration into DOD weapons systems. "You don't know what you don't know, and the old adage of the weakest link is obviously what we need to be concerned about."

That's exactly the link Icefog is pounding. Baumgartner said the small, well-funded crew of "cyber-mercenaries" develops new attack techniques for each target. This makes Icefog incredibly hard to track since researchers have a hard time connecting individual attacks to one another - before it's too late.

Kaspersky Lab